As is well known, with the spread of the Internet and wireless communication devices, routes of infection of malicious codes are becoming more diverse and the extent of damage caused by the malicious codes increases every year. The term “malicious codes” used herein refers to as the software that has been intentionally produced to perform vicious behavior contrary to the intention and interests of a user, such as destroying the computer system and leaking information. There are various kinds of malicious codes such as virus, worms, Trojan, backdoor, logic bomb, trap doors, etc. used as a hacking tool, vicious spyware, vicious ad ware and the like. The malicious codes, through self-replication or automatic breeding, cause problems such as the leakage of personal information such as a password and an identifier (ID) of a user, system control, change/deletion of files, destruction of the system, denial of service of application/system, leakage of core data and installation of the other hacking programs, which results in extremely diverse and serious damages.
On the other hand, an APT (Advanced Persistent Threat), which is one of the issues in recent, persistently utilizes various types of malicious codes with high attacking techniques in order to steal information targeted by an attacker. Particularly, the APT attack is nearly not detected in an early invasion phase, and it typically uses non-PE files including the malicious codes. It is because that the programs for running the non-PE files, such as word-processors or imaging programs, essentially have some degree of security vulnerability and that variant malicious codes can be easily made with the change in the non-PE files if the malicious codes are included in the non-PE files.
Owing to the above properties, there are many cases where the APT attack uses a malicious non-PE file exploit to achieve the Zero-day attack. For example, if a recipient inadvertently opens the malicious non-PE file attached to email, the computer system of the recipient is then infected with a malicious file, such that the malicious file can attack other computer systems and invade the computer systems to steal key data. In addition, since the non-PE file has a variety of formats, needed are the substantial amount of time and effort that an expert examines whether the non-PE file is malicious and analyzes the vicious activities done by the non-PE file. Moreover, from the standpoint of almost all the conventional techniques, it is not easy to find a countermeasure against some variant malware deformed and newly created even for the analysis duration.
A study of a malware treating system (or vaccine program) has continued in order to detect and treat the malicious codes. Most malware treating systems (vaccine program), known so far, are made to detect a malicious code within an executable file.
As such, the reason why the malware treating system detects the malicious code from the executable file results from the fact that most malicious codes take a type of executable files in a particular system so that it can be run on the particular system. For example, file extensions of the malicious code that are required to be executed in the Windows system are exe, cpl, ocx, dll, vxd, sys, scr, drv, etc.
However, a malicious shell code, which attracts attention in recent, is inserted in different files having a format of a non-PE file so that it can bypass the malware treating system and the expert. By way of example, the file extensions of the non-PE file taken by the malicious code in the Windows system are HWP, DOG, XLS, JS, HTML, JPG, etc.
In order to inspect whether the non-PE file is malicious, the expert needs to determine whether every file has a malicious code. In particular, for a non-PE file employing the exploit, the substantial amount of time and effort are needed that an expert examines whether the non-PE file is malicious and analyzes the vicious activities. Moreover, in view of almost all the conventional techniques, it is nearly impossible to find a countermeasure against some variant malware deformed and newly created even for the analysis duration.
Therefore, as described above, there strongly needs the development of techniques to defense a situation employing the malicious non-executable exploit in order for achieving an APT attack scenario.
A malicious code inspecting method of a related art includes a signature-based malicious code inspecting method. However, the signature-based method cannot properly defense the Zero-day exploit for a large amount of signature databases is necessary to identify different types of attacks.
Another method for detecting the malicious code within the non-PE file includes a method to detect behaviors that are varied depending on how an attacker designs the shell code contained in the malicious non-PE file. However, this method requires obtaining information such as design methods for different attackers, which leads to a false positive and false negative.